CSE Research Server Management

Caption text: Toin at eros non eros adipiscing mollis. Donec semper turpis sed diam. Sed consequat ligula nec tortor.

Overview

CSE IT aims to balance the need to provide adaptable computing systems to researchers with the need to provide a safe, secure, and functional environment that is compliant with UB's IT policies and system administration best practices.  

In response to situations where it is beneficial for a research group to configure and manage their own systems, CSE has adopted a model to allow "Researcher-Managed" systems to be placed on designated networks where trusted users have administrative access to systems owned by their research group.

CSE IT-Managed vs. Researcher-Managed Systems

CSE IT-Managed systems are the core of the department's computing resources. These systems offer general computing services that are shared between students and faculty and are configured to achieve maximum accessibility and security. CSE IT staff are the only users allowed administrative access to these systems. CSE IT-Managed systems favor stable configurations that do not require frequent changes.

Researcher-Managed systems grant administrative control of the environment to a researcher and their team, allowing them to make changes to the operating system, install the latest versions of software packages, and manage user accounts. This level of control provides researchers with a platform that can be customized to their specific research goals while balancing stability and usability at a level that is appropriate to the task. Research-Managed systems can be used for development and cutting-edge software implementations.

Researchers should thoroughly read this documentation and the specified guidelines before deciding to manage their own systems. Due to security policy, a Researcher-Managed system cannot be changed to a CSE IT-Managed system without destructive procedures that include a full re-installation of the operating system.

Researcher-Managed Systems

Management and administration of computing systems is not a task to be undertaken lightly. Very real and dangerous consequences can arise if misconfigured systems become compromised and failure to adhere to system administration best practices could have a detrimental effect on the performance and stability of other systems on the network.

For these reasons, Researcher-Managed systems are placed on protected networks that limit the opportunity for abuse of other computing resources, and the responsibilities of the researcher and CSE IT staff are well-defined.

Role of the Researcher

The researcher agrees to take sole responsibility for configuring and maintaining the system and ensuring that it remains in compliance with all CSE and UB IT policies. This includes, but is not limited to, responsibility for the following tasks:

  1. Operating system installation, configuration, and updates.
  2. Software installation, configuration, and updates.
  3. Hardware repair and replacement.
  4. Data backup and recovery.
  5. Security fixes, antivirus functionality, and mitigation of system compromises.

Researchers are solely accountable for addressing problems on the systems they manage, for example, when:

  1. Hardware failure or data loss occurs.
  2. Intellectual property, digital rights, or software/media piracy laws are infringed upon.
  3. Instability or misconfiguration on the system compromises other systems on the network.

Researchers agree to adhere to all IT policies and guidelines provided by the Department of Computer Science and Engineering and the University at Buffalo. Failure to adhere to these policies will result in the removal of the Researcher-Managed system from the network.

An overview of UBIT's policies can be accessed here:

http://www.buffalo.edu/ubit/policies.html

Role of the CSE IT Staff

The CSE IT staff agrees to provide the Researcher-Managed system with a connection to a protected network in compliance with UB's IT policies. Outgoing network access is generally unrestricted. Incoming access by default is limited to on-campus network connections or connections made via the UBVPN.

The logistics of supporting customized operating systems and software configurations limit the amount of help that CSE IT staff can provide for Researcher-Managed systems. CSE IT staff will support Research-Managed machines on a "best effort" basis. Researchers are welcome to ask CSE IT staff questions about their systems, but staff may not be able to help with every problem.

The CSE IT staff retains the right to disconnect Researcher Managed systems from the network, with no notice to the managing researcher, if it is deemed that the system is causing network instability, acting suspiciously, or has been compromised.

Researcher-Managed System Requirements

The following configurations are required for all Researcher-Managed systems. Failure to maintain these configurations will result in the removal of the Researcher-Managed system from the network.

  1. CSE IT Administrative Account. An account named "cse-it", with full administrative permissions, must be created on the system. This account will be used by CSE IT staff in emergencies and when auditing the system. Assign this account an arbitrary (strong) password, then communicate this password to the CSE IT staff so that they can change it.
  2. Network Configuration. Researcher-Managed systems are provided network settings through the Dynamic Host Control Protocol (DHCP). As part of connecting your system to the network, you will be asked to provide both a MAC address and a desired host name (if applicable to your research group). Do not set networking configurations manually without first checking with the CSE IT staff. Your machine will be given the same "static" address for the lifetime of that machine as long as the MAC address does not change.

System Management Guidelines and Best Practices

The following guidelines should be used as a starting point for meeting the IT policies of the Department and University.

  1. Antivirus Software. For MacOS and Windows installations, install antivirus software and update it regularly. Antivirus software may be obtained from UBIT.
  2. Host-based Firewall. Enable the host-based application firewall to further protect your system from malicious network traffic. For further details, consult the documentation for your operating system.
  3. Operating System Automated Updates. Enable automated updates to keep your system updated with the latest security releases. For further details, consult the documentation for your operating system.
  4. Account Management.
    • Create strong passwords/passphrases for all user accounts.
    • Create distinct user and administrative accounts. An administrative account should only be accessed when a software install or configuration change is needed. All normal work should be done with an unprivileged user account.
    • Windows users should disable the built-in "Administrator" and "Guest" accounts.
    • Linux and MacOS users should use sudo from a user account instead of the root user account.
    • Keep user accounts that you create consistent with UBIT user accounts, including the same userid id (UID) and group id (GID) values. This is essential when interfacing with remote CSE and UBIT systems and services.
  5. Hostname Management. Keep the system's local hostname consistent with its corresponding Domain Name System (DNS) record. Use the nslookup command to verify the name allocated for your machine in DNS. Use a name that is meaningful to you and other researchers in your lab. Check with your adviser to see if your lab already has a host naming scheme.

About the Authors